C. Control Activities
Control activities include policies, procedures, and mechanisms in place to help ensure that organization objectives are met. Examples of control activities include:
- Proper segregation of duties (separate individuals who authorize transactions from those who process and review transactions).
- Physical controls to safeguard assets.
- Proper approval of transactions and events.
- Appropriate documentation and access to that documentation.
Internal controls also need to be in place over information systems, including general and application controls. General controls apply to all information systems, such as the mainframe, network, and end-user environments, and include organization-wide security program planning, management, control over data center operations, system software acquisition, and maintenance. Application controls should be designed to ensure that transactions are properly authorized and processed accurately and that the data is valid and complete. Controls should be established at application interfaces to verify inputs and outputs, such as edit checks. General and application controls over information systems are interrelated and both are needed to ensure complete and accurate information processing. Due to the rapid changes in information technology, controls must also adapt and evolve to remain effective.
Return to Internal Controls